Zcash is racing to reassure users after disclosing a serious vulnerability that could have enabled the creation of unlimited counterfeit coins within its privacy pool. The flaw affected Orchard, Zcash’s advanced shielded pool, and forced an emergency response over the past week.
How the Orchard Bug was Found and Fixed
Zcash founder Zooko Wilcox said security researcher Taylor Hornby found a “critical counterfeiting vulnerability” in the Orchard pool on May 29 during a Shielded Labs audit. Hornby reported the issue privately to the Zcash Open Development Lab (ZODL) the same day so engineers could respond before any public disclosure.
ZODL then led an emergency upgrade that paused Orchard transactions while engineers built and tested a fix. The team finished on June 2, deploying changes that restored Orchard with corrected zero-knowledge code.
Researchers say the bug sat inside Orchard’s zk‑SNARK circuit and broke a key “soundness” property that blocks invalid state changes. The flaw opened the door to the worst risk for a privacy coin: invisible inflation that never shows up on-chain.
Shielded Labs: Real, Exploitable, and Hard to Trace
Shielded Labs, which sponsored Hornby’s audit, said the bug was “real and exploitable” and confirmed that a local test exploit could generate “an unlimited amount of undetectable counterfeit ZEC” inside Orchard. Because Orchard hides transaction details, it is not possible to cryptographically prove whether anyone used the flaw before the fix was applied.
Even so, Shielded Labs said it believes prior exploitation is unlikely, citing the short window between discovery and mitigation, as well as the circuit’s complexity. The Zcash Foundation also said there is “no evidence” of unauthorized value creation and that user privacy in all pools remains intact.
To address doubts, Shielded Labs is exploring a network upgrade that would let the community verify Zcash’s total supply and “prove the non‑existence of counterfeit ZEC in the Orchard pool.” Such a change would try to reconcile Orchard with data from Sapling and transparent pools without breaking privacy guarantees.
Arthur Hayes shared his thoughts on the situation. He said, “The Holy Trinity is dead. Sadly, due to the Orchard Pool exploit, I had to dump our entire $ZEC bag.” This shows that the bug changed his view on Zcash, which he had previously grouped with HYPE and NEAR.
READ MORE: SpaceX IPO Will Happen on June 12: Here’s Why SPCX Stock Will Plunge
